2 DNS Server

Run

apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":

We need to modify /etc/default/syslogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads SYSLOGD="-a /var/lib/named/dev/log":

vi /etc/default/syslogd

SYSLOGD="-a /var/lib/named/dev/log"

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start

3 MySQL

In order to install MySQL, we run

apt-get install mysql-server mysql-client libmysqlclient15-dev

You will be asked to provide a password for the MySQL root user - this password is valid for the user [email protected] as well as [email protected], so we don't have to specify a MySQL root password manually later on (as was the case with previous Ubuntu versions):

New password for the MySQL "root" user:<-- yourrootsqlpassword

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

6.1 Edit master.cf

BTW watch for the two Postfix configuration files, both located in the /etc/postfix folder. More than one admin has gotten confused between master.cf and main.cf!

First back up the current master.cf:

cp /etc/postfix/master.cf /etc/postfix/master.cf-orig

Edit master.cf:

vi /etc/postfix/master.cf

We need to add two items below the pickup service type. The pickup service "picks up" local mail (local meaning "on this machine") and delivers it. This is a way to bypass content filtering for mail generated by this machine.

6.2.1 alias_maps

Since our system will be configured not to store any local mails, this will be ignored.

6.2.2 myorigin

The domain name that mail created on this machine appears to come from. For example, if cron sends mail to "[email protected]" it will appear to come from "[email protected]".

postconf -e "myorigin = example.com"

Obviously, in the above, and all the following commands, replace my example parameters, like "example.com", with your own specific values.

6.2.3 myhostname

The fully-qualified domain name (FQDN) of the machine running the Postfix system.

postconf -e "myhostname = server1.example.com"

6.2.4 mynetworks

These are the machines I trust, and will relay mail for, to any destination. If you will be dealing with multiple internal mail servers, and/or want to allow several machines and/or subnets to relay through this server (careful!), just add them to this parameter in CIDR format and seperate the networks like this:

postconf -e "mynetworks = 127.0.0.0/8, 192.168.0.0/24"

The 127.0.0.0/8 is there to allow the local server to send, you need to at least put this one in.

6.2.4.1 outbound trusted relay IP

If you'd like your SpamSnake to handle outgoing emails as well, be sure to add your local network to the list e.g. 192.168.0.0/24 172.16.0.0/16. If your mailserver is 172.16.5.20 and you only want to trust only that IP, add 172.16.5.20/32. You just have to setup your mailserver to relay (smarthost) to your SpamSnake.

6.2.5 message_size_limit

Maximum size email that Postfix will let in the "front door".

postconf -e "message_size_limit = 10485760"

The above allows email up to 10MB, the value is in bytes (10*1024*1024). Mail larger than this may possibly get bypassed by the anti-virus scanner (ClamAV). You could increase this if you also configure ClamAV to scan files larger than 10MB. If you allow messages larger than 10MB, keep an eye on RAM.

6.2.6 local_transport

Return an error message for local delivery attempts.

postconf -e "local_transport = error:No local mail delivery"

6.2.7 mydestination

An empty mydestination tells Postfix this machine is not the final destination.

postconf -e "mydestination = "

6.2.8 local_recipient_maps

An empty local_recipient_maps tells Postfix there are no local mailboxes.

postconf -e "local_recipient_maps = "

6.2.9 virtual_alias_maps

Our spamfilter must be able to receive mail for [email protected] Reportedly, some things actually expect this ability to exist. We will also allow mail to [email protected] Since we do not allow local mail delivery, mail addressed to our spamfilter's IP address will get rejected with an error message. Setting up virtual_alias_maps allows email to these two accounts to be forwarded to an inside address. Make sure your Exchange server is set up to receive messages addressed to "root", "postmaster" and "abuse".

For the moment, we are going to accept mail for all users in our domain(s) so enter each domain you accept mail for in the following format:

@example.com OK
@example2.com OK

Then create the binary file that Postfix will use:

postmap /etc/postfix/relay_recipients

The entries above are temporary. They are wildcards that allow mail to your domains. You MUST remove the entries above at some point in the near future and replace them with every single one of your valid recipients' email addresses. When you are ready to enter each user individually in the relay_recipients file, you would first remove (or comment out) the data above that allows mail to all users in the domain, and then list each user individually in the form:

6.2.11 transport_maps

Tells Postfix where to look for a transport file. We use the transport file to tell Postfix where to forward valid mail for our domain(s). Setting up transport is similar to setting up relay_recipients.

Create a reference to it in main.cf:

postconf -e "transport_maps = hash:/etc/postfix/transport"

Then edit transport:

vi /etc/postfix/transport

Add 1 new line for each domain for which you will be handling mail, similar to the example below. The IP address is that of whatever server is the final destination of messages addressed to our domain(s) (our Exchange server). It does not matter where you place these items in the file, but I like to put them at the top.

example.com smtp:[192.168.0.x]
example2.com smtp:[192.168.0.x]

Include the brackets on these lines!. You can also use FQDN hostname instead of an IP address (i.e. smtp:[exchange1.example.com]).

Now to create the binary file Postfix will use:

postmap /etc/postfix/transport

6.2.12 relay_domains

What destination domains (and subdomains thereof) this system will relay mail for.

postconf -e "relay_domains = hash:/etc/postfix/relay_domains"

Edit relay_domains:

vi /etc/postfix/relay_domains

Add 1 new line for each domain for which you will be handling mail, similar to the example below:

example.com OK
example2.com OK

This file currently has a very similar format to relay_recipients do not mistake the two. This file cannot have '@' in front of the domain name. Just thought I'd mention it, some very smart people have been known to have done this...

There is no reason to chroot bind9 if using AppArmor. Chrooting bind is the traditional way to limit file access for bind9, and it works fine, but does not confine bind9 as much as an AppArmor profile can. AppArmor also limits file access, networking and capabilities for bind9, and the Ubuntu developers have created a default bind9 installation that does not require any additional configuration for securing bind9. This way all users of bind9 can benefit from it.

Additionally, this tutorial recommends to disable all of AppArmor. Unless you have a very specific need to do so, this is not recommended. If you opt to chroot bind9 instead of use AppArmor, then please disable the profile, and leave the other profiles that are not causing problems to do their jobs. See my blog entry athttp://penguindroppings.wordpress.com/2009/07/07/should-i-disable-apparmor/ for details.

I would like to know the issues if any to leave bind9 alone and let apparmor deal with the security? I see that the author would like you to chroot bind9 but I wonder if it is out of habit or necessity.